Chokepoint Mapping as a Board-Level Discipline
Most boards cannot name their top five exposure points. That is the problem.
Ask the directors of almost any large firm to name the five physical or digital chokepoints through which their business must pass to function, and watch the room go quiet.
They will name one or two that have been in the news. The Strait of Hormuz, maybe. TSMC. A cloud provider. But the full list, the straits, the fabs, the rare earth refineries, the undersea cables, the DNS roots, the correspondent banks, the certificate authorities, the single-country precursor chemicals, is almost never on the table. It lives somewhere in the second or third layer of the organization, if it lives anywhere at all.
That is a company failure, and it is increasingly an existential one.
Why chokepoint exposure has become a governance question
For most of the last generation, chokepoints were an operational concern that could be left on the back burner absent a major geopolitical shock. Procurement managed suppliers. IT managed vendors. Treasury managed banking relationships. Each function maintained its own view, and the board reviewed enterprise risk in aggregate categories: cyber, supply chain, regulatory, geopolitical. Nothing was wrong with this arrangement when the underlying infrastructure was stable.
It is no longer stable. A chokepoint is no longer just a place where something can go wrong. It is a place where state actors now deliberately apply pressure, where non-state actors have learned to interdict, and where the convergence of physical and digital infrastructure means a single failure can cascade across functions that used to be independent. The result is that chokepoint exposure has migrated upward in the org chart (or it should have) because it now determines whether the firm can operate profitably or operationally under a foreseeable set of scenarios.
Operational risk that can take the company offline is board-level risk. Chokepoints qualify.
What a quarterly chokepoint review looks like
The discipline is simple. The work is not.
Once per quarter, the board and executive committee receive a list of the firm's top exposure points across five categories: physical logistics, digital infrastructure, financial plumbing, critical inputs, and human capital flows. Each point is named, located, and paired with a current assessment of its condition. The assessment is qualitative and short. What changed this quarter. What the firm would do in the first seventy-two hours of an impairment. Who owns the response?
The deliverable is not a heat map. Heat maps have failed this category because they abstract away the specifics that matter. The deliverable is a named list of places, institutions, and relationships, each with an owner inside the firm and a contingency that has been tested at least on paper.
The first time a firm does this exercise, it is uncomfortable. The list is longer than expected, the owners are unclear, and the contingencies do not exist. That discomfort is the point. It is the difference between a governance function that knows where its vulnerabilities are and one that is relying on hope.
The quiet advantage
Firms that run this discipline begin to notice something else. The same chokepoints that represent risk also represent the leverage points of their industry. Knowing them in detail, knowing who controls them, how they are being contested, how quickly the contest is moving, becomes a source of strategic insight that competitors operating with a heat map do not have. The risk discipline quietly becomes an opportunity discipline.
The boards that will govern well over the next decade are the ones that replace abstract risk categories with named, dated, and actively managed lists of chokepoints. The ones that do not will continue to be surprised by events that were, in retrospect, entirely mappable.
The only question worth asking at the next executive committee or board meeting is this. Do we have the list, and is it current?
If the answer is no, that is the agenda.
